In this article, you will learn everything you need to know about the Next-Gen Antivirus & MDM module.
1. Description
2. How does Next-Gen Antivirus & MDM work?
3. HEIMDAL Agent - Next-Gen Antivirus & MDM
4. Next-Gen Antivirus & MDM view
5. Next-Gen Antivirus & MDM settings
DESCRIPTION
Next-Gen Antivirus & MDM is the reactive protection side of our product suite. The Next-Gen Antivirus solution reacts to infected files found on the system. Next-Gen Antivirus combines the techniques known by both traditional and Next-Gen Antivirus to detect and remediate viruses, APTs, financial fraud, ransomware, and data leaks. It complements the Threat Prevention - Endpoint product module, to offer all-around protection. It offers a centralized management interface across all devices for easy corporate client management. It is flexible and easy to use and it offers a wide variety of scanning profiles to fit your corporate needs. The addition of the XTP engine will supercharge the current Next-Gen Antivirus with Extended Threat Protection (XTP) capabilities, thus supplying you with evidence-based information about sophisticated cybersecurity risks, offering a holistic view of weaknesses, categorized on MITRE ATT&CK tactics and techniques and, ultimately, providing boundless levels of state of the art protection. The new version of Heimdal’s Next-Gen Antivirus offers more Windows OS native capabilities, as well as the XTP engine with its aforementioned benefits.
HOW DOES NEXT-GEN ANTIVIRUS WORKS?
As a standalone Antivirus product, the Next-Gen Antivirus & MDM features a complex threat scan module that is capable of detecting viruses, trojans, riskware, heuristic threats, adware, backdoor, constructors, dialers, exploits, trash, APCs. Besides the scan module that is available on each HEIMDAL Agent installation, the Antivirus as a concept also features reporting and control dashboard, protection cloud, local quarantine location, VDFs (Virus Definition Files).
HEIMDAL AGENT - NEXT-GEN ANTIVIRUS & MDM
Endpoint Detection - Next-Gen Antivirus (inside the HEIMDAL Agent) allows the end-user to run a scan or to stop a scan operation (if allowed in the Group Policy settings) and it also displays information about the detected Infections and the Quarantined files.
The end-user who is allowed to start a scan operation can click on the Go To Scan button where he can select a scan type from the following:
-
Quick Scan - scans critical OS locations and the most usual target folders which are known for virus activity:
1. Windows: C:\Windows\system32, C:\Windows\SysWOW64, C:\Program Files\Common Files, C:\Program Files (x86)\Common Files, C:\Windows;
2. macOS: /System/Library/Extensions/, /System/Library/LaunchAgents, /System/Library/LaunchDaemons, /System/Library/StartupItems, /Library/Extensions, /Library/Internet Plug-Ins, /Library/LaunchAgents, /Library/LaunchDaemons, /Library/StartupItems, /Library/PrivilegedHelperTools, /Library/Preferences/loginwindow.plist, /Library/Preference/loginitems.plist, /Library/Preference/loginwindows.plist, /Users/*/Library/Internet Plug-Ins, /Users/*/Library/LaunchAgents; - Active Processes Scan - scans all the processes currently running on the machine;
- Full Scan - scans all the local files on the computer;
- Hard Drive Scan - scans all files on the hard drive while ignoring the files on all external media types;
- Local Drive Scan - the profile will scan all local disks including the hard drives, optical drives, and external storage;
- Removable Drive Scan - scans for the files that are on flash, optical or external drives;
- System Scan - scans the system directory;
-
Network Drive Scan - scans the network mapped network drives (does not work with network locations). The HEIMDAL Agent detects infected files but no actions will be performed (Quarantine/Delete) because a file located on a network cannot be moved to the local quarantine folder.
The HEIMDAL Agent will display scheduled scans that are configured in the Group Policy:
There is also an option to scan individual files/folders using the option Scan with Next-Gen Antivirus, which can be found by right-clicking on the selected file/folder. This scan type comes with a limit of 15 selected files/folders at a time.
The Infected/Quarantined view displays a list of intercepted Files, the Threat Category, Infection Name, and Date.
NEXT-GEN ANTIVIRUS & MDM view
The Endpoint Detection - Next-Gen Antivirus view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected/quarantined files intercepted by the HEIMDAL Agent's Next-Gen Antivirus engine. On the top, you see a statistic regarding the number of Infected Files, the number of Suspicious Files, and the number of Quarantined Files.
The collected information is placed in the following views: Latest Infections, Infections Type, Hostname/Infections, Quarantine, Exclude, Scan History, and Zero-Trust Execution Protection.
- Latest Infections
This view displays a table with the latest detected infections and the following details: Hostname, Username, File, MD5, Threat Category, Infection name, Status, Resolution, and Timestamp. This view allows you to select one or multiple infected files and add it/them to quarantine, delete it/them, or add it/them to storage. - Infections Type
This view displays a table with the infection type and the following details: Threat Category, Number of Matches, Most Targeted Hostname, Username, and Last match. - Hostname/Infections
This view displays a table with the hostname/infections and the following details: Hostname, Username, Highest Threat Category, Number of Matches, and Last match. - Quarantine
This view displays a table with all quarantined files and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp. This view allows you to select one or multiple quarantined files and Remove it/them from quarantine or add it/them to storage.
Quarantined files are kept for 90 days (this is the default value). - Exclude
This view displays a table of all exclusions and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp. - Scan History
This view displays a table with each computer that was performing scan operations (only the latest scan is displayed) and the following details: Hostname, Username, Group Policy, Timestamp, New Infections Found, and Resolution. This view allows you to select one or multiple endpoints and select a scan type (Quick Scan, Full Scan, Active Processes Scan, Hard Drive Scan, Local Drive Scan, Removable Drive Scan, System Scan, Network Drive Scan). The selected scan will start on the first Group Policy check performed by the HEIMDAL Agent on the selected endpoint. -
Zero - Trust Execution Protection
This view displays a table with the processes (non-signed executable files) intercepted by the Zero-Trust Execution Protection engine and the following details: Hostname, Username, Process Name, MD5 Hash, Timestamp, and Status. Clicking the 3-dot button will give you the option to search the file hash on VirusTotal or to Copy the file path to the Clipboard. The status of detection can be: Unknown (intercepted by ZTEP and not found in our database; files that are whitelisted globally by the Heimdal Support Team propagate to the endpoints after 3 days since the whitelist), Allowed (intercepted by ZTEP, but whitelisted in our database). The data in this view gets updated in real time.
Selecting a file from the list allows you to add it to the exclusion list or upload it to the storage.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
The files listed in the Latest Infections view, Quarantine view, and Exclude view can get one of the following Resolution statuses:
None - no action is taken on the file;
Deleted - the file is deleted;
DeletePending - the file has been selected for deletion and it will be deleted when the HEIMDAL Agent performs a GP check;
ErrorDelete - the file has been selected for deletion but an error occurred (the file could be in use);
ErrorQuarantine - the file has been marked to be quarantined but an error occurred (the file could be in use);
FNOEXIST - the file has been marked to be deleted or quarantined but does not exist in the path (it has been removed manually or is not allowed to be written on the disk drive). A file that is copied/extracted/downloaded (basically, written on the disk) will be intercepted in the Memory before being written and it will NOT be allowed to be written. The Next-Gen Antivirus will display an infection event and the file will not be quarantined because it will be blocked in the Memory;
Quarantined - the file has been quarantined. A file that has been quarantined will be automatically deleted after 30 days, if it has not been restored;
QuarantinePending - the file has been marked to be quarantined and this operation will take place on the next HEIMDAL Agent GP check;
DeleteQuarantinePending - the file has been selected for deletion and this operation will be performed on the next HEIMDAL Agent GP check;
Excluded - the file has been excluded;
ExcludePending - the file has been marked to be excluded and the operation will take place on the next HEIMDAL Agent GP check;
ExcludeQuarantinePending - the file has been marked to be excluded and the operation will take place on the next HEIMDAL Agent GP check;
ErrorExcludeQuarantine - the file has been marked to be excluded and an error occurred;
ErrorRemoveQuarantine - the file has been marked to be removed from the Quarantine list and an error occurred (the file could have been deleted manually);
RemoveExclusionPending - the file has been marked to be excluded and the operation will be performed on the next HEIMDAL Agent GP check;
RemoveQuarantinePending - the file has been marked to be removed from the Quarantine list and the operation will be performed on the next HEIMDAL Agent GP check;
NEXT-GEN ANTIVIRUS & MDM settings
The Endpoint Detection - Next-Gen Antivirus will allow you or the users to perform scan operations on the endpoints in your environment to keep viruses and other threats away.
Next-Gen Antivirus - turns ON/OFF the Next-Gen Antivirus module;
General Settings
AutoScan USB Ports - turn on/off the automatic scan of any USB Removable Device (like flash drives, storage devices, HDDs) that is plugged into a computer. On Enterprise users, the option will automatically launch a popup with the Scan Window that runs;
USB Silent Mode Scan - do not display a Scan window on the end-user computer. This option works only for USB Removable Devices (it does not work with other plug-and-play devices like headphones, cameras, mice, or keyboards). This feature can be turned on only if AutoScan USB Ports is turned on. The endpoints will be scanned in real-time to catch both known and unknown threats. This feature will scan all actions performed on any file, such as reading, writing or executing so that malicious activities can be detected immediately;
Disable USB Ports - allows you to disable Removable Media Devices from being connected to a computer. A computer reboot is required to activate/deactivate this function;
USB restrictive mode - this functionality will disable ALL USB devices found on the computer, except the allowed list. A computer reboot is required to activate/deactivate this function. USB restrictive mode will allow you to add a device to an allowlist (based on either Class or Hardware ID), thus, allowing it to run:
The Hardware ID is different based on the brand/model of the USB Device. The top one is the most specifically identified, as, shown below:
The Class ID is being shared by all USB Devices of the same type and this is how it can be found:
It's not enough to enable only a single hardware ID to enable a single USB thumb drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In our case, the following devices have to be allowed so that the target USB thumb drive can be allowed as well:
- Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft) -> PCI\CC_0C03
- USB Root Hub (USB 3.0) -> USB\ROOT_HUB30
- Generic USB Hub -> USB\USB20_HUB
- USB Mass Storage Device
-
Generic Flash Disk USB Device
USB devices nested under each other in the PnP tree
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't prevent any external/peripheral device from being installed on the machine. Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing his/her machine through HID devices.
Device protection actions - a dedicated table will be displayed, in which the Dashboard user can select one or multiple actions (Isolate, Shutdown, or Logout) to be taken in case of detections occurring in either NGAV, Firewall, or REP modules.
IMPORTANT
In case Device protection actions is enabled and the Firewall module is disabled, the latter will be enabled automatically, as will the Endpoint isolation setting. If the Ransomware Encryption Detection module is disabled or the submodule is not licensed, the row inside the grid, corresponding to Ransomware Encryption Detection, will be disabled (not actionable). For the Firewall module, the only available protection action is Isolation and it will be triggered after a minimum of 100 occurrences of public Brute Force Attacks. Disabling the newly added setting after a Group policy update will trigger a toast message informing the dashboard user that disabling the Device protection actions feature will not disable the Firewall module and the Endpoint isolation setting.
In case multiple actions are selected for a module, these will be executed in order: Isolation first, followed by Shutdown and Logout, as the third action (depending on the combination of actions, in some scenarios, the Logout action will not be performed anymore).
Agent Baloon Notifications - allow the HEIMDAL Agent to display a balloon notification on detected files;
Hide Windows Defender interface - allows you to hide the Windows Defender interface (within Windows Security Center). Hiding the interface will make it so that the Virus & Threat protection section in Windows Security Center gets hidden also.
While hidden, the Security providers section will display No providers in the Antivirus field.
Antivirus Settings
Isolate on Tamper Detection - isolates a computer from the Internet if one or more HEIMDAL Security services are stopped by external intervention. The Firewall product will be enabled if it is disabled;
Allow users to stop AV Service - allows the end-users to stop the Heimdal Antivirus service on the endpoint based on a password set by the IT Administrator. Once enabled, you can set the password and the Auto-Restart interval for the Antivirus service (between 2 and 60 minutes). Password must be greater than 6 characters, and the Pause interval is in the range of 2-60 minutes:
Allow Manual Scan - enables/disables the ability of the end-user to start any scan directly from the HEIMDAL Agent;
Allow Cancel Scan - enables/disables the ability of the end-user to cancel any running or scheduled scan operation directly from the HEIMDAL Agent;
Zero-Trust Execution Protection
Zero-Trust Execution Protection - enables the protection against zero-hour threats compromising your environment (it can also be enabled/disabled from the Privileges & App Control -> Privileged Access Management module and the Privileges & App Control -> Application Control module as well). Zero-Trust Execution Protection checks the unsigned executable files and blocks their execution if deemed untrusted;
Reporting mode - scans and logs all the processes with Zero-Trust Execution Protection to the HEIMDAL Dashboard without taking any action (allow or block). Note that the Zero-Trust Execution Reports are sent only if the status is Unknown or Blocked;
Exclusions - you are allowed to exclude a process or a file from the Zero-Trust Execution Protection by File Name, File Path, Directory, or MD5;
Update virus definitions interval [min] - allows you to set the update time interval for the virus definition files. The default value is 120 minutes and it can be extended to 360 minutes. This feature is designed to check whether there are any new virus definition files (VDF’s) available on the HEIMDAL servers. When a new VDF file is available, it will get automatically downloaded to the local agent database. It is recommended to have the limit set to 120 min to update the database as soon as possible.
Schedule Scan
This section allows you to schedule a scan according to your preferences. You can start creating a schedule by pressing Add New Scan button.
Scan Profile Name - specify the name for the profile you want to create;
Scan Type - select the type of scan you wish HEIMDAL Next-Gen Antivirus to run in the created profile;
- Full Scan - scans all the files on the endpoint;
- Quick Scan - scans critical OS locations and the most usual target folders which are known for virus activity (Windows: C:\Program Files\Common Files, C:\Program Files (x86)\Common Files, C:\Windows, C:\Windows\system32, C:\Windows\SysWOW64 | macOS: /System/Library/Extensions/, /System/Library/LaunchAgents, /System/Library/LaunchDaemons, /System/Library/StartupItems, /Library/Extensions, /Library/Internet Plug-Ins, /Library/LaunchAgents, /Library/LaunchDaemons, /Library/StartupItems, /Library/PrivilegedHelperTools, /Library/Preferences/loginwindow.plist, /Library/Preference/loginitems.plist, /Library/Preference/loginwindows.plist, /Users/*/Library/Internet Plug-Ins, /Users/*/Library/LaunchAgents);
- Hard Drive Scan - scans all files on the hard drive while ignoring the files on all external media types;
- Local Drive Scan - scans all local disks including the hard drives, optical drives, and external storage;
- System Scan - scans the system directory;
- Removable Drive Scan - scans files stored on flash, optical or external drives;
- Network Drive Scan - scans files on Mapped Network Drives, it detects the infection(s), but NO action will be performed because the Next-Gen Antivirus cannot remove something from a network location to place it in the local Quarantine folder. This scan type works with Mapped Network Drives but does NOT work with Network locations:
- Active Processes Scan - scans the processes that are currently running on the endpoint;
- Custom Scan - available only on the end user's computer in the HEIMDAL Agent, allows the scan of any file by using the right-click context menu and then selecting Scan with HEIMDAL Next-Gen Antivirus & MDM which will open a new window with the result;
You can set up a scheduler to run the selected Scan Type in the specified timeframe. The scheduler enables you to choose a day or multiple days during the week or the month and the time interval when to run the selected Scan Type.
IMPORTANT
The scan profile does not apply automatically in the policy after clicking the Set Scan button. The configured scheduler needs to be confirmed by updating the policy. If the Update GP button is not clicked, the defined scan profile will be lost if the current page is left before updating the policy. Multiple scan profiles can be created inside a Group Policy. However, the scan type is exclusive. This means that it is not possible to create multiple profiles with the same scan type. For example, there cannot be 2 scan profiles to perform full scans in the same Group Policy.
Next-Gen Antivirus Exclusion List
This feature allows you to add exclusions that Next-Gen Antivirus & MDM will ignore after scanning. The Exclusion List comes with different Priorities and enables you to exclude file names, file paths, directories, or patterns (wildcards).
Priorities
Low (former Normal Exclusions) - scans the object first and excludes it after;
Medium (former Real-Time Exclusions) - excludes the object directly from the real-time driver and it pre-scans it. Only use this when the low priority doesn't work. It is recommended to use this priority for applications, and external drives to avoid having their files/folders blocked instantly by the Antivirus scanning if they are used regularly and for longer periods of time.
High - excludes the object without performing any scan. This priority type allows up to 5 High priority exclusions. A toaster warning is displayed if a user tries to add more than five High priority exclusions.
Types
Filename - allows you to specify the filename that you want to exclude (e.g. test.exe, file.doc, file.txt, example.msi);
File Path - allows you to specify the file path where the file is located on the hard drive (e.g. C:\Users\Username\Desktop\test.exe, C:\test.exe);
Directory - allows you to specify a directory path to be excluded (sub-directories are automatically excluded) from scanning (e.g. C:\Users\Username\Desktop, C:\Downloads);
Pattern - allows you to specify a pattern (e.g. C:\test\*.*, *.bat) that should be excluded from scanning. This option does not work with System Variables (%USERPROFILE%, %TEMP%, or others ).
Profiles
The Profiles allow you to exclude known paths for specific server roles:
- Domain Controller
- Exchange Server
- File and Storage Server
- Microsoft SQL Server
- MySQL Server
- Print Server
- RDP Server
These profiles come with predefined exclusions for folders/files associated with the server.
This section allows you to import a CSV list of exclusions, but you can also download an existing exclusion list in CSV format.
Global Quarantine List
The Global Quarantine List allows you to add a file to quarantine if it is detected by the Antivirus engine (the file will be marked as Suspicious or Infected).
- A file that is added to the Global Quarantine List based on File Name can be quarantined ONLY if the Antivirus engine detects the file as Suspicious/Infected;
- A file that is added to the Global Quarantine List based on File Path can be quarantined no matter if the Antivirus engine detects it as Suspicious/Infected or not;
- Files added by File Path will be marked as Suspicious;
- .txt files added by File Path will not work with Real-Time Scanning.
Scan Settings
Next-Gen AV CPU Throttling Limit % - adjusts the CPU Throttling Limit of the Next-Gen AV scans. This can be achieved with a slider, ranging from 5% to 90% CPU Throttling Limit.
Note: keep in mind that instantaneous values will sometimes spike beyond the set limit, however this feature brings the average CPU usage below the set value.
OS-specific settings
Real-Time Protection - the endpoints will be scanned in real-time to catch both known and unknown threats;
Real-Time Archive Scan - enables the scan of archives and their contents. After enabling this option you can also set the Maximum Recursion depth (scans the parent archive and the child archives included in the parent archive, up to the 10th level) and Maximum archive files (scans the selected number of files included in an archive and only up to 100 files). Enabling this feature will impact the CPU performance as it requires more processing power;
False Positive Control - allows the Next-Gen Antivirus to identify exceptional false positives detections in real-time and prevent them from impacting the performance of antimalware scanning;
Protection Cloud - sends a suspicious file's digital fingerprint to our real-time protection cloud for further analysis and returns a fast response on whether the file is infected or safe;
Real-Time Scan Network Files - enables the Next-Gen Antivirus to do a real-time scan each time a change is performed on your network drivers;
Heuristic Settings - turn ON/OFF the detection of unknown viruses by analyzing affected code and scanning for virus-specific functions. Based on the selected Heuristic Detection Level (Low, Medium, High) the appropriate number of detection rules are activated, increasing or decreasing the aggressiveness level of detection (please be aware that a Heuristic Level High can increase the number of false positives and that for desktop environments Heuristic Level Low and Medium are recommended);
Scan Mode - allows you to select the way the real-time engine performs system scans:
- SMART - the real-time engine will scan all files based on the file type and file content by sophisticated algorithms. This option will speed up a system scan and provide the same level of protection;
- ALL - the real-time engine will scan all files (but it will take considerably more time to finish).
Default Scan Action on Infected - allows you to select the action that you want the Next-Gen Antivirus to take upon detecting an infected file: Deny (block the file without taking any action on it), Quarantine, Allow, or Delete. Be advised that the Deny option is available only if Real-Time Protection is turned ON in the Group Policy;
Default Scan Action on Suspicious - allows you to select the action that you want the Next-Gen Antivirus to take upon detecting a suspicious file: Deny (block the file without taking any action on it), Quarantine, or Allow. Be advised that the Deny option is available only if Real-Time Protection is turned ON in the Group Policy.
Check out the Extended Threat Protection engine here!